A sophisticated spearphishing attack campaign has managed to sneak past the security solutions of the maritime industry to deliver Agent Tesla and Formbook. The attackers had maintained their persistence in the network for over a year, something of which the crew was unaware.
The campaign was first observed in October 2020 distributing Agent Tesla and then later switched to Formbook around mid-2022.
What has been found
ElecticIQ Intelligence and Research Team assessed the campaign and believe it was conducted by a single threat cluster.
The email body mostly pretended to inform recipients that the ship is docking at a port and ask the target to click on the malicious attachment for more details.
The spearphishing email would contain a CAB file using the name of a maritime vessel in its filename, enclosing the Agent Tesla malware.
Researchers found 20 such emails that appeared to come from a shipping company headquartered in Norway.
Switching to Formbook
In July 2022, the campaign shifted from Agent Tesla to Formbook using CAB file attachments. However, there’s not much clarity on why the cluster changed its tooling.
This new activity was identifiable owing to its consistent targeting of the maritime industry and its reuse of the IPv4 address in the email header and the common email ID in the email’s reply-to field.
Delivering Formbook in many ways
The threat cluster used four different delivery techniques to distribute Formbook.
The first technique involved using an attached Word document that contained the exploit for an old vulnerability in Word Document (CVE-2017-0199).
The second technique used a Microsoft xlsx document containing the Word Exploit document.
The third technique involved the xlsx document containing exploits for RTF document (CVE-2017-11882).
The fourth technique used attached RAR files containing Formbook executables.
Objective of the campaign
The use of commodity RATs shows that the group is focused on obtaining sensitive information such as credentials, session tokens, and email lists. This information could be leveraged in future BEC attacks or could be sold to provide initial access to other operators.
Conclusion
While the identity of the threat group remains unknown, researchers believe that the maritime industry is susceptible to attacks in the future. Moreover, the industry has become a significant target of ransomware attacks, which calls for a proper review of cyber risks in shipboard operations, bridge communications, cargo operations, and other critical operations. Experts suggest maritime companies should also focus on training their crew to recognize phishing lures to prevent threats due to phishing emails.